More here:

* weex https://aur.archlinux.org/cgit/aur.git/commit/?h=weex&id=a0c039fbdce60a37c5db30004744147020dd0649 * nikki https://aur.archlinux.org/cgit/aur.git/commit/?h=nikki&id=08c13fe0214275c3e47bf21923376b1fce1521e3

Both use js-digest instead of atomic-lockfile. All contributor email
addresses in the PKGBUILD were also replaced with fake Gmail addresses
([email protected] and [email protected] respectively).

I've got 2 "AUR Package Update" emails each but only one malicious
commit, so it looks like there is a script which will periodically
rewrite git history.


Reply via email to